1. Close all ports except 5130 and 21
IPTABLES='/sbin/iptables'
$IPTABLES -A FORWARD -s 192.168.10.164 -p tcp -m tcp --dport 5190 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.10.164 -p tcp -m tcp --dport 21 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.10.164 -j DROP
2. Client behind NAT on iptables, and you need connect to remote VPN server o PPTPD
Option 1.
#!/bin/bash
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD ACCEPT
iptables -F FORWARD
iptables -t nat -F
DEPMOD='/sbin/depmod'
MODPROBE='/sbin/modprobe'
$DEPMOD -a
$MODPROBE ip_nat_pptp
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Option 2.
#!/bin/bash
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD ACCEPT
iptables -F FORWARD
iptables -t nat -F
iptables -N pptp
iptables -A pptp -p tcp --destination-port 1723 --dst 192.168.1.8 -j ACCEPT
iptables -A pptp -p 47 --dst 192.168.1.8 -j ACCEPT
iptables -I FORWARD -j pptp
iptables -t nat -N pptp
iptables -t nat -A pptp -i eth2 -p tcp --dport 1723 -j DNAT --to 192.168.1.8:1723
iptables -t nat -A pptp -i eth2 -p 47 -j DNAT --to 192.168.1.8
iptables -t nat -A PREROUTING -j pptp
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
192.168.1.8 is internal clietn IP, eth2 is external NIC.
3. Firewall rules on router for connecting to VPN server on pptpd via router
#pptp
$IPTABLES -A INPUT --protocol tcp --dport 1723 -j ACCEPT
$IPTABLES -t nat -A PREROUTING --dst xxx.yyy.zzz.ccc -p tcp --dport 1723 -j ACCEP
$IPTABLES -A INPUT --protocol 47 -j ACCEPT
$IPTABLES -t nat -A PREROUTING --dst xxx.yyy.zzz.ccc -p 47 -j ACCEPT
4. Fast NAT configuration
iptables -t nat -A POSTROUTING -o eth0 <external> -j MASQUERADE
echo "1" > /proc/sys/net/ipv4/ip_forward
5. Port forwarding
iptables -A PREROUTING -t nat -p tcp -d 195.140.176.74 --dport 5900 -j DNAT --to 192.168.1.8:5900
6. Simple traffic counter
Once a day
iptables -L -n -v -Z >> traffic.log
- Other examples
iptables -L
iptables -A INPUT -s 192.168.75.0/24 -j REJECT
iptables -A INPUT -s 192.168.25.200 -p icmp -j DROP
iptables -A INPUT -s !192.168.1.0/24 -p tcp -j DROP
iptables -D INPUT -s 192.168.25.200 -p icmp -j DROP
iptables -A FORWARD -j DROP
service iptables save
chkconfig iptables on
chkconfig --list iptables
iptables -A INPUT -p tcp --dport 3128 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
modprobe -a ip_conntrack_ftp ip_nat_ftp
cat /etc/sysctl.conf
net.ipv4.ip_forward = 1